Add fileserver and ldapclient sls
This commit is contained in:
parent
1cf93b8f30
commit
b72b6c960d
8 changed files with 271 additions and 2 deletions
4
pillar/fileserver.sls
Normal file
4
pillar/fileserver.sls
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
ldap_auth: True
|
||||||
|
sftp_group: sftponly
|
||||||
|
sftp_chroot: /srv/sftp
|
||||||
|
ssh_customer_group: sshuser
|
2
pillar/ldapclient.sls
Normal file
2
pillar/ldapclient.sls
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
ldap_base: dc=gva,dc=local
|
||||||
|
ldap_uris: ldap://172.16.3.3/
|
|
@ -6,3 +6,8 @@ base:
|
||||||
- match: grain
|
- match: grain
|
||||||
- gnuviechadmin.{{ role }}
|
- gnuviechadmin.{{ role }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
{% for role in ('fileserver', 'ldapclient') %}
|
||||||
|
'roles:{{ role }}':
|
||||||
|
- match: grain
|
||||||
|
- {{ role }}
|
||||||
|
{% endfor %}
|
||||||
|
|
14
states/fileserver/exports
Normal file
14
states/fileserver/exports
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
# /etc/exports: the access control list for filesystems which may be exported
|
||||||
|
# to NFS clients. See exports(5).
|
||||||
|
#
|
||||||
|
# Example for NFSv2 and NFSv3:
|
||||||
|
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
|
||||||
|
#
|
||||||
|
# Example for NFSv4:
|
||||||
|
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
|
||||||
|
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
|
||||||
|
#
|
||||||
|
|
||||||
|
/srv/nfs4 *(rw,async,fsid=root,crossmnt,no_subtree_check)
|
||||||
|
/srv/nfs4/web gvaweb.local(rw,async,no_root_squash,no_subtree_check)
|
||||||
|
/srv/nfs4/mail gvamail.local(rw,async,no_subtree_check)
|
|
@ -0,0 +1,107 @@
|
||||||
|
base-dirs:
|
||||||
|
file.directory:
|
||||||
|
- names:
|
||||||
|
- /srv/nfs4
|
||||||
|
- /srv/sftp
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 0755
|
||||||
|
|
||||||
|
nfs4-dirs:
|
||||||
|
file.directory:
|
||||||
|
- names:
|
||||||
|
- /srv/nfs4/web
|
||||||
|
- /srv/nfs4/mail
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 0751
|
||||||
|
|
||||||
|
/srv/nfs4/web:
|
||||||
|
mount.mounted:
|
||||||
|
- device: /home/www
|
||||||
|
- fstype: none
|
||||||
|
- opts:
|
||||||
|
- bind
|
||||||
|
- acl
|
||||||
|
- persist: True
|
||||||
|
- require:
|
||||||
|
- file: nfs4-dirs
|
||||||
|
|
||||||
|
/srv/nfs4/mail:
|
||||||
|
mount.mounted:
|
||||||
|
- device: /home/mail
|
||||||
|
- fstype: none
|
||||||
|
- opts:
|
||||||
|
- bind
|
||||||
|
- acl
|
||||||
|
- persist: True
|
||||||
|
- require:
|
||||||
|
- file: nfs4-dirs
|
||||||
|
|
||||||
|
/srv/sftp/home:
|
||||||
|
file.directory:
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 0751
|
||||||
|
mount.mounted:
|
||||||
|
- device: /home/mail
|
||||||
|
- fstype: none
|
||||||
|
- opts:
|
||||||
|
- bind
|
||||||
|
- acl
|
||||||
|
- persist: True
|
||||||
|
- require:
|
||||||
|
- file: /srv/sftp/home
|
||||||
|
|
||||||
|
fileserver-packages:
|
||||||
|
pkg.installed:
|
||||||
|
- pkgs:
|
||||||
|
- nfs-kernel-server
|
||||||
|
- rssh
|
||||||
|
service.running:
|
||||||
|
- name: nfs-kernel-server
|
||||||
|
- require:
|
||||||
|
- pkg: fileserver-packages
|
||||||
|
- mount: /srv/nfs4/mail
|
||||||
|
- mount: /srv/nfs4/web
|
||||||
|
|
||||||
|
/etc/exports:
|
||||||
|
file.managed:
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 0644
|
||||||
|
- source: salt://fileserver/exports
|
||||||
|
- watch_in:
|
||||||
|
- service: nfs-kernel-server
|
||||||
|
|
||||||
|
{% if 'sftp_group' in pillar %}
|
||||||
|
/srv/sftp/authorized_keys:
|
||||||
|
file.directory:
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 0701
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
sshd:
|
||||||
|
pkg.installed:
|
||||||
|
- pkgs:
|
||||||
|
- openssh-server
|
||||||
|
- openssh-blacklist
|
||||||
|
- openssh-blacklist-extra
|
||||||
|
service.running:
|
||||||
|
- name: ssh
|
||||||
|
- require:
|
||||||
|
- pkg: sshd
|
||||||
|
{% if 'sftp_group' in pillar %}
|
||||||
|
- file: /srv/sftp/authorized_keys
|
||||||
|
{% endif %}
|
||||||
|
- watch:
|
||||||
|
- file: /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
/etc/ssh/sshd_config:
|
||||||
|
file.managed:
|
||||||
|
- source: salt://fileserver/sshd_config
|
||||||
|
- template: jinja
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 0644
|
104
states/fileserver/sshd_config
Normal file
104
states/fileserver/sshd_config
Normal file
|
@ -0,0 +1,104 @@
|
||||||
|
# sshd configuration generated by salt state
|
||||||
|
# do not modify this file directly
|
||||||
|
#
|
||||||
|
# See the sshd_config(5) manpage for details
|
||||||
|
|
||||||
|
# What ports, IPs and protocols we listen for
|
||||||
|
Port 22
|
||||||
|
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||||
|
#{% for sshd_interface in grains['fqdn_ip4'] -%}
|
||||||
|
#ListenAddress {{ sshd_interface }}
|
||||||
|
#{% endfor %}
|
||||||
|
Protocol 2
|
||||||
|
# HostKeys for protocol version 2
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_dsa_key
|
||||||
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
#Privilege Separation is turned on for security
|
||||||
|
UsePrivilegeSeparation yes
|
||||||
|
|
||||||
|
# Lifetime and size of ephemeral version 1 server key
|
||||||
|
KeyRegenerationInterval 3600
|
||||||
|
ServerKeyBits 1024
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
SyslogFacility AUTH
|
||||||
|
LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication:
|
||||||
|
LoginGraceTime 120
|
||||||
|
PermitRootLogin no
|
||||||
|
StrictModes yes
|
||||||
|
|
||||||
|
RSAAuthentication yes
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||||
|
|
||||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
|
IgnoreRhosts yes
|
||||||
|
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||||
|
RhostsRSAAuthentication no
|
||||||
|
# similar for protocol version 2
|
||||||
|
HostbasedAuthentication no
|
||||||
|
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||||
|
#IgnoreUserKnownHosts yes
|
||||||
|
|
||||||
|
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
|
||||||
|
# Change to yes to enable challenge-response passwords (beware issues with
|
||||||
|
# some PAM modules and threads)
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
# Change to no to disable tunnelled clear text passwords
|
||||||
|
PasswordAuthentication no
|
||||||
|
|
||||||
|
# Kerberos options
|
||||||
|
#KerberosAuthentication no
|
||||||
|
#KerberosGetAFSToken no
|
||||||
|
#KerberosOrLocalPasswd yes
|
||||||
|
#KerberosTicketCleanup yes
|
||||||
|
|
||||||
|
# GSSAPI options
|
||||||
|
#GSSAPIAuthentication no
|
||||||
|
#GSSAPICleanupCredentials yes
|
||||||
|
|
||||||
|
X11Forwarding no
|
||||||
|
X11DisplayOffset 10
|
||||||
|
PrintMotd no
|
||||||
|
PrintLastLog yes
|
||||||
|
TCPKeepAlive yes
|
||||||
|
#UseLogin no
|
||||||
|
|
||||||
|
#MaxStartups 10:30:60
|
||||||
|
#Banner /etc/issue.net
|
||||||
|
|
||||||
|
# Allow client to pass locale environment variables
|
||||||
|
AcceptEnv LANG LC_*
|
||||||
|
|
||||||
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
UsePAM yes
|
||||||
|
UseDNS no
|
||||||
|
{%- if 'sftp_group' in pillar %}
|
||||||
|
|
||||||
|
Match Group {{ pillar['sftp_group'] }}
|
||||||
|
ForceCommand internal-sftp
|
||||||
|
ChrootDirectory {{ pillar['sftp_chroot'] }}%h
|
||||||
|
AuthorizedKeysFile /srv/sftp/authorized_keys/%u/keys
|
||||||
|
PasswordAuthentication yes
|
||||||
|
{%- endif %}
|
||||||
|
{%- if 'ssh_customer_group' in pillar %}
|
||||||
|
|
||||||
|
Match Group {{ pillar['ssh_customer_group'] }}
|
||||||
|
PasswordAuthentication yes
|
||||||
|
{%- endif %}
|
33
states/ldapclient/init.sls
Normal file
33
states/ldapclient/init.sls
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
ldapclient:
|
||||||
|
debconf.set:
|
||||||
|
- name: nslcd
|
||||||
|
- data:
|
||||||
|
'nslcd/ldap-base': {'type': 'string', 'value': '{{ pillar.get("ldap_base") }}'}
|
||||||
|
'nslcd/ldap-uris': {'type': 'string', 'value': '{{ pillar.get("ldap_uris") }}'}
|
||||||
|
pkg.installed:
|
||||||
|
- pkgs:
|
||||||
|
- ldap-utils
|
||||||
|
- nslcd
|
||||||
|
- libnss-ldapd
|
||||||
|
{% if 'ldap_auth' in pillar %}
|
||||||
|
- libpam-ldapd
|
||||||
|
{% endif %}
|
||||||
|
service.running:
|
||||||
|
- name: nslcd
|
||||||
|
- require:
|
||||||
|
- pkg: ldapclient
|
||||||
|
- debconf: nslcd
|
||||||
|
|
||||||
|
libnss-ldapd-reconfigure:
|
||||||
|
cmd.wait:
|
||||||
|
- name: dpkg-reconfigure --frontend=noninteractive libnss-ldapd
|
||||||
|
- require:
|
||||||
|
- pkg: ldapclient
|
||||||
|
- watch:
|
||||||
|
- debconf: libnss-ldapd-debconf
|
||||||
|
|
||||||
|
libnss-ldapd-debconf:
|
||||||
|
debconf.set:
|
||||||
|
- name: libnss-ldapd
|
||||||
|
- data:
|
||||||
|
'libnss-ldapd/nsswitch': {'type': 'multiselect', 'value': 'group, passwd'}
|
Loading…
Reference in a new issue